user activation for issuance requirement

[yuval-t]

Hello,

1. I think the user activation requirement might be problematic or even a blocker for the ad-fraud detection use-case, where user interaction with captchas is not usually possible.

2. The risk here seems to be low, and the activation defense will might not be a problem for an attacker (that can just ask you to click, or wait you to click or something). Other options to mitigate this might requiring caching redemption tokens, rate limiting redemptions, or removing the private bit option (all have their own problems).

3. Is it possible to restrict the issuer to set the same bit/bits on all tokens in the batch to mitigate data transfer?

4. Do you think randomizing token redemption order might mitigate this attack? (transform data transfer from #tokens bits to log(#tokens) bits? Also the browser can randomly delete tokens to reduce the amount of information.

5. Regarding the sentence: "At redemption, we can slow down the rate of redemption by returning cached Redemption Records when an issuer attempts too many refreshes" - is there a requirement for minimal caching time? How it is a mitigation if not?

6. In addition, I'm interested if current Chrome currently implements or intend to implement this activation requirement - I haven't find it in the design document. Do you have more information about this?

What do you think?

Thanks!